FMX Support
Center

 

support

Follow

FMX Single Sign-On for Active Directory Federation Services (AD FS)

What is single sign-on? What is involved in the integration?

Single sign on is a workflow that allows users within an organization to access their FMX site without entering a username or password. The user’s log in information is automatically obtained from the organization’s internal network and passed through to FMX behind the scenes. The integration consists of the organization’s IT department configuring their Active Directory system to support the connection with FMX. Skip this if your company is not using the single-sign on integration. If your company has chosen to use single-sign on integration, please read the directions below.

FMX supports the WS-Federation specification for single sign-on (SSO) integration.To integrate with an on-premise Active Directory installation, Active Directory Federation Services (AD FS) 2.0 is required.  Users without an on-premise directory such as Office 365 users can integrate with FMX using Windows Azure Active Directory.

 

Scenario 1: Office 365 / Azure Active Directory

  1. Log on to the Azure portal.
  2. Navigate to Active Directory, then select the App registrations, then click New application registration at the top to start a new app registration.
  3. In the Create page: 
    • Enter "FMX" for name
    • Select "Web application and/or web API" for type
    • Enter "https://yourcompany.gofmx.com/login" (replace yourcompany with your unique hostname). 
    • Click Create
  4. In a few seconds, you should see the new app registration you just created. 
  5. Once the app registration has been added, click on the app registration name, click on Settings at the top, then click on Properties
  6. In the App ID URI box, enter the Application URL "https://yourcompany.gofmx.com/" (replace yourcompany with your unique hostname). 
  7. Click on Settings at the top, then click on Reply URLs
  8. Replace Reply URL with "https://yourcompany.gofmx.com/login/ws-federation/callback" (replace your company with your unique hostname). 
  9. Close the Registered app page. On the App registrations page, click on the Endpoints button at the top, then copy the Federation Metadata Document URL.

To complete the integration, provide FMX with the value of the "Federation Metadata Document URL".

 

Scenario 2: On-Premise Active Directory with existing AD FS 2.0 installation

Add FMX as a relying party using the following information (refer to Scenario 3 for more detailed instructions on how to do this):

WS-Federation URL

  • https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml

Claims rules

  • Copy the names or URLs below to the Outgoing Claim Type column. Each name is tied to each URL. 
LDAP Attribute Outgoing Claim Type 

User-Principal-Name

* Name ID or

 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

E-Mail-Addresses

E-Mail Address or 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Given-Name

Given Name or 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Surname

Surname or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Telephone-Number

 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone

 

 

Completing integration

Simply provide FMX with the federation metadata document that AD FS generates.  You can find this document at the following URL:

  • https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

Note, this document is different from the one that was used to add FMX as a relying party.  If your AD FS metadata document is exposed to the public internet (recommended) then you can simply provide FMX with its URL.  However, if your AD FS server is only accessible from your organization's internal network then you'll need to provide a copy of the document.

Considerations

The disadvantage of providing a copy of the metadata document as opposed to a URL is the document contains a token signing certificate that expires, usually after one year, at which point you'll need to provide another copy.  Also, it may cause an interruption in service if the certificate expires before you're able to provide FMX with a new copy.  By providing a URL, FMX will seamlessly and automatically synchronize changes to your document in order to keep the certificate current.

Next steps

Click here to learn how to configure AD FS to synchronize user access permissions.

 

Scenario 3: On-Premise Active Directory, no existing AD FS 2.0 installation

(This procedure was written for Windows Server 2008 R2.  The steps may be slightly different for newer versions of Windows Server.)

Install AD FS 2.0

  1. Download and run the AD FS 2.0 installer from: http://www.microsoft.com/en-us/download/details.aspx?id=10909
  2. Choose "Federation server"
  3. Check "Start the AD FS 2.0 Management snap-in when this wizard closes" and close the installer

Configure AD FS 2.0

  1. From the "AD FS 2.0 Management" snap-in, click "AD FS 2.0 Federation Server Configuration Wizard"
  2. Choose "Create a new Federation Service"
  3. Choose "Stand-alone federation server"
  4. Select an SSL certificate (you should use a publicly signed certificate if users will authenticate outside of your internal network) and use the default Federation Service name
  5. Verify the following HTTP endpoints are accessible using a web browser:
    • Federation metadata document: https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml
    • Passive requestor endpoint: https://<your-ad-fs-server-hostname>/adfs/ls/ (should return an AD FS error page)

Add FMX as a relying party

  1. From the "AD FS 2.0 Management" snap-in, click "Add Relying Party Trust..." to start the Add Relying Party Trust Wizard
  2. Choose "Import data about the relying party published online or on a local network" and enter the FMX federation metadata URL: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml
  3. Choose "Permit all users to access this relying party"
  4. Check "Open the Edit Transform Claim Rule dialog for this relying party trust when the wizard closes" and close the wizard
  5. Click "Add Rule..." to start the Add Transform Claim Rule Wizard
  6. Choose "Send LDAP Attributes as Claims"
  7. Choose "Active Directory" and map the following LDAP attributes to outgoing claim types.
  8. Copy the names or URLs below to the Outgoing Claim Type column. Each name is tied to each URL. 
LDAP Attribute Outgoing Claim Type
User-Principal-Name

* Name ID or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

E-Mail-Addresses

E-Mail Address or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Given-Name

Given Name or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Surname

Surname or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Telephone-Number

 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone

 

 

 

Completing integration

Simply provide FMX with the federation metadata document that AD FS generates.  You can find this document at the following URL:

  • https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

Note, this document is different from the one that was used to add FMX as a relying party.  If your AD FS metadata document is exposed to the public internet (recommended) then you can simply provide FMX with its URL.  However, if your AD FS server is only accessible from your organization's internal network then you'll need to provide a copy of the document.

Considerations

The disadvantage of providing a copy of the metadata document as opposed to a URL is the document contains a token signing certificate that expires, usually after one year, at which point you'll need to provide another copy.  Also, it may cause an interruption in service if the certificate expires before you're able to provide FMX with a new copy.  By providing a URL, FMX will seamlessly and automatically synchronize changes to your document in order to keep the certificate current.

Next steps

Click here to learn how to configure AD FS to synchronize user access permissions.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Contact Us

If you can’t find the answer you are looking for, submit a support request here.


Questions about FMX? We’re here to help!

We are a dedicated team of individuals who are passionate about helping people have better lives.
We’ll make sure your team gets up and running quickly and smoothly with FMX.
Give us a call at 1 (844) 664-4400 or send us an email at support@gofmx.com.

dedicated team of individuals